SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    This Connection is Untrusted

    I am at the library, and when I went to use their free wi-fi, FireFox displays this message...

    Attachment 61597


    Questions:

    1.) What exactly does that message mean?

    2.) Should I be overly concerned about it?

    3.) Should I "run for my life" from the library?


    I understand the risks of "free wi-fi", but that is my only option at the moment. So based on that, I'd like to understand what additional risks the screen-shot I posted above may cause.

    Sincerely,


    Debbie

  2. #2
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,524
    Mentioned
    52 Post(s)
    Tagged
    1 Thread(s)
    The site is using an SSL certificate that isn't recognized by any of the Internet's root certificate authority servers.

    Since I see the address is an IP address, I'd guess that it's a self-created SSL certificate of the device managing wireless connections.

    It's likely that it's a sign-on page for gaining wifi access to verify that you are a library patron.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    The site is using an SSL certificate that isn't recognized by any of the Internet's root certificate authority servers.

    Since I see the address is an IP address, I'd guess that it's a self-created SSL certificate of the device managing wireless connections.

    It's likely that it's a sign-on page for gaining wifi access to verify that you are a library patron.
    Not sure I follow your response.

    What about questions #2 and #3?

    Whatever the library I was at is doing, it seems like they aren't being very careful or secure...

    Sincerely,


    Debbie

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,619
    Mentioned
    413 Post(s)
    Tagged
    7 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    it seems like they aren't being very careful or secure...
    Nah, the problem is that they haven't forked out lots of money to get their SSL certificate "verified" by a recognized company. That doesn't mean their connection is any less secure. It's just an annoying message that you can ignore if you trust the organisation offering the connection—which in this case, you can.

    My own web hosting account gives me the same message. the only way around it is to bay big $$$ for a pointless "verified" SSL certificate. But I don't bother, because I trust myself.

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Nah, the problem is that they haven't forked out lots of money to get their SSL certificate "verified" by a recognized company. That doesn't mean their connection is any less secure. It's just an annoying message that you can ignore if you trust the organisation offering the connection—which in this case, you can.
    I'm still not understanding what is going on here...

    Why is the library using an SSL certificate for free wi-fi in the first place?

    Here is what happens when I want to access the Internet at this library...

    - I choose the library's hot-spot
    - I open FireFox
    - I get that error page
    - I chose to ignore that message by adding the library as an exception
    - I get some library landing page
    - I check the box next to the "Terms" and click "Accept"
    - I am connected to the Internet


    There is no User Account or User Log-In required, so what purpose would any SSL certificate serve??


    My own web hosting account gives me the same message. the only way around it is to bay big $$$ for a pointless "verified" SSL certificate. But I don't bother, because I trust myself.
    I'm not following you.

    You have a website that others have to deal with the same issue?

    Or you have a similar issue to just connect to the Internet with your ISP?

    Or something else?


    Back to my OP, when should the error page I showed above make me leave immediately? (I've come across that before on the Internet.)

    Sincerely,


    Debbie

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Why is the library using an SSL certificate for free wi-fi in the first place?
    To encrypt the connection between your computer and the wifi so that the person three desks over can't capture everything you type in.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    To encrypt the connection between your computer and the wifi so that the person three desks over can't capture everything you type in.
    Do all free wi-fi connections do that?

    I guess I thought SSL/HTTPS was a function of the websites I was visiting on the free wi-fi, and not a feature of the free wi-fi itself. For example, if I log into my SitePoint account on a free wi-fi connection, it is SitePoint protecting my log-in credentials, right?


    Debbie

  8. #8
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,619
    Mentioned
    413 Post(s)
    Tagged
    7 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    You have a website that others have to deal with the same issue?
    No, when I go to log in to the backend of my web hosting account, it is an https connection, and thus I get the warning message, so it's not something that affects site users.

    If you want a protected web connection (for the reasons that felgall described)—that is, to go to https and opposed to http—you need to set up an SSL certificate. It's perfectly fine to create one yourself, and is free, but from a browser's point of view, it's not as reliable as one that's verified by a trusted SSL company. So if you have an ecomerce website that grabs credit card details from customers, it's best to get the SSL certificate endorsed by a reputable company. That way, the browser knows to trust the certificate.

    The library is providing you with a more secure connection by sending you to https, so they are trying to do the right thing, but the warning message is a bit of a pain. If you were visiting a site by someone you didn't know, the browser would want you to know that even though it's an https connection, you may not be able to trust the person at the other end who is getting your data.

  9. #9
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,531
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    If you want a protected web connection (for the reasons that felgall described)—that is, to go to https and opposed to http—you need to set up an SSL certificate. It's perfectly fine to create one yourself, and is free, but from a browser's point of view, it's not as reliable as one that's verified by a trusted SSL company. So if you have an ecommerce website that grabs credit card details from customers, it's best to get the SSL certificate endorsed by a reputable company. That way, the browser knows to trust the certificate.
    SSL certificates like you describe only cost maybe $100 per year, so I don't see why it would be an issue for anyone wanting to provide a "secure" connection...


    The library is providing you with a more secure connection by sending you to https, so they are trying to do the right thing, but the warning message is a bit of a pain. If you were visiting a site by someone you didn't know, the browser would want you to know that even though it's an https connection, you may not be able to trust the person at the other end who is getting your data.
    Is it unsafe to use a free wi-fi connection that isn't using an HTTPS connection? (That is probably an oxymoron... "safe" and "free wi-fi", but you know what I mean!)

    Sincerely,


    Debbie

  10. #10
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,524
    Mentioned
    52 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    SSL certificates like you describe only cost maybe $100 per year, so I don't see why it would be an issue for anyone wanting to provide a "secure" connection...
    Because it costs $100 year. A self-made SSL certificate is just as secure as one officially recognized by a certificate authority, and it's free. Typically, the only time you want an officially recognized SSL certificate is if you're running an ecommerce site so that visitors don't have a concerned reaction like you are having right now.

    An SSL certificate simply encrypts the data between the server and the client so third parties can't see what's being transferred.


    Is it unsafe to use a free wi-fi connection that isn't using an HTTPS connection? (That is probably an oxymoron... "safe" and "free wi-fi", but you know what I mean!)
    A WiFi connection doesn't use HTTPS--that's reserved for website traffic. It uses WPA, WPA2, or WEP for network encryption. Network encryption prevents third parties from unauthorized access to the network.

    But in answer to the question, if you use HTTPS while on a WiFi connection (secured or not), your information is safe. If you use HTTP, everything that is transferred to and from your computer over this protocol is broadcast in the clear (as in, anyone with a packet sniffer can see POST and GET responses).

    However, some wireless access points do have a "wireless isolation" feature, which prevents wireless clients from seeing each others' traffic. However, there's not a good way to tell if this feature is enabled without some thorough testing and either multiple wireless devices or cooperation from another wireless user.
    Last edited by Force Flow; Feb 23, 2013 at 19:03. Reason: typo
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  11. #11
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    There are two purposes served by an SSL certificate -

    1. securing data between the browser and the server
    2. Confirming the identity of the site you are connecting to.

    A paid certificate is required for the second of these but a self made certificate or one offered by a third party is equally effective for the first.

    So for connecting to your own web site to read your emails online you can use the webhosting provided certificate to get a secure connection and because you know that your site is hosted with them you know that you are accessing the right place even though the certificate doesn't match the domain.

    With access over local WiFi a self made certificate can be used because there will be someone physically present at the location who can confirm the certificate really does belong to them IN PERSON so that you don't have to rely on one of the major SSL authorities having issued the certificate and trusting that authority to have checked who the certificate is issued to. Trusting the person in front of you in this situation is even better than trusting some authority that the people who wrote your browser decided to trust to issue certificates. With a library WiFi any library owned computers wouldn't even be producing that alert as the person who set up the network would have added their certificate as a trusted certificate in the browsers on those computers. If you trust the library connection you can make it a trusted certificate in your browser and never see the warning again. If you don't trust it then don't use their network at all.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  12. #12
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    23,619
    Mentioned
    413 Post(s)
    Tagged
    7 Thread(s)
    Quote Originally Posted by felgall View Post
    the person who set up the network would have added their certificate as a trusted certificate in the browsers on those computers.
    Aw, didn't know you could do that. Firefox always used to accept the site once I reassured it, but on Chrome, it always kicks up a fuss. After some Googling, found this page that showed how to stop that:

    http://www.robpeck.com/blog/2010/10/...-certificates/

    (In fact, the process is easier than described there, so perhaps Chrome has improved the situation. worked nicely.)

  13. #13
    SitePoint Zealot
    Join Date
    Jul 2012
    Location
    Scarborough, North Yorkshire, United Kingdom
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Because it costs $100 year. A self-made SSL certificate is just as secure as one officially recognized by a certificate authority, and it's free. Typically, the only time you want an officially recognized SSL certificate is if you're running an ecommerce site so that visitors don't have a concerned reaction like you are having right now.
    You aren't talking $100 though? You can get recognised certs below $10 that won't give this error.
    Richard
    Resell SSL Certificates - API / WHMCS / HostBill / ClientExec
    ServerTastic - RapidSSL, Geotrust, Thawte, Symantec, SmarterTools and more

  14. #14
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,524
    Mentioned
    52 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by RichardAskew View Post
    You aren't talking $100 though? You can get recognised certs below $10 that won't give this error.
    Yes, you can get less expensive certs. I was simply quoting what DoubleDee said to make a point.

    The lowest I've seen from a known reputable CA is around the $30 mark. I've also seen certs go as high as $600.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  15. #15
    SitePoint Zealot
    Join Date
    Jul 2012
    Location
    Scarborough, North Yorkshire, United Kingdom
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Yes, you can get less expensive certs. I was simply quoting what DoubleDee said to make a point.

    The lowest I've seen from a known reputable CA is around the $30 mark. I've also seen certs go as high as $600.
    You can get RapidSSL cert for around $10 that is owned by GeoTrust and in turn owned by Symantec. You can pay much, much more than $600. You aren't paying just for the cert then though, its the whole trust around it - http://blog.servertastic.com/a-look-...-certificates/ (Mods the link is relevant but let me know if you want it removed).
    Richard
    Resell SSL Certificates - API / WHMCS / HostBill / ClientExec
    ServerTastic - RapidSSL, Geotrust, Thawte, Symantec, SmarterTools and more


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •